Step 2: Create IAM Policy and
User

Security best practices for AWS dictate the use of fine-grained permissions to control
access to different resources. AWS Identity and Access Management allows you to manage
users and user permissions
in AWS. An IAM policy
explicitly lists actions which are allowed and the resources on which the actions
are
applicable.

The following are the minimum permissions generally required for a Kinesis Streams
producer and
consumer.

Producer

Actions

Resource

Purpose

DescribeStream

Kinesis stream

Before attempting to write records, the producer should check if the
stream exists and is active.

PutRecord, PutRecords

Kinesis stream

Write records to Kinesis Streams.

Consumer

Actions

Resource

Purpose

DescribeStream

Kinesis stream

Before attempting to read records, the consumer checks if the stream
exists and is active, and if the shards are contained in the
stream.

GetRecords, GetShardIterator

Kinesis stream

Read records from a Kinesis Streams shard.

CreateTable, DescribeTable,
GetItem, PutItem,
Scan, UpdateItem

Amazon DynamoDB table

If the consumer is developed using the Kinesis Client Library (KCL),
it needs permissions to a DynamoDB table to track the processing state of
the application. The first consumer started creates the table.

DeleteItem

Amazon DynamoDB table

For when the consumer performs split/merge operations on Kinesis Streams
shards.

PutMetricData

Amazon CloudWatch log

The KCL also uploads metrics to CloudWatch, which are useful for monitoring
the application.

For this application, you create a single IAM policy that grants all of the above
permissions. In practice, you might want to consider creating two policies, one for
producers and one for consumers. The policies you set up here are re-usable in
subsequent learning modules in this series.

To create an IAM policy

Determine the Amazon Resource Name (ARN) for the new stream. The ARN format
is as follows:

Determine the ARN for the DynamoDB table to be used by the consumer (and created
by the first consumer instance). It should be in the following format:

arn:aws:dynamodb:region:account:table/name

The region and account are from the same place as the previous step, but this
time name is the name of the table created and used by the consumer
application. The KCL used by the consumer uses the application name as the table
name. Use StockTradesProcessor, which is the application name used
later.

Expand Show User Security Credentials
and save the access and secret keys to a local file in a safe place that
only you can access. For this application, create a file named
~/.aws/credentials (with strict permissions). The file should be in
the following format: